Minor Snort configuration change ?
-
I'v been using Snort with automatic updates from snort.org an it works a champ ( path on the back ;-) for all the god work)
I wold like to propose a small change in the way i/we use Snort,
Snort blocks all ip's witch is violating the "rules" and than releases them after 60 minuts.
i'd rather block them for more than 60 minutes ore even better be able to "tick" them of for " block 4 ever" maybe it just me, but i see a lot of the same ip's witch constantly are blocked -
You can change the reset time by modifying /cf/conf/config.xml from Diagnostics -> Edit File.
Look for the cron entry that runs the command /usr/local/sbin/expiretable -t 1800 snort2c.
Change the <minute>60</minute> to whatever you like. Then go to Diagnostics -> Command Prompt and in the PHP command box issue the command:
configure_cron();
Now the expiretable time should change to whatever you define.
-
Thank you for the quick answer , but i am not able to find any cron entry in this file the onnly configuration for snort in this file is witch rules i am using :-)
-
Something to change tho, would be adding "ac-bnfa", to the list of choices and possibly removing mwm due to security issues (according to snort community). At this time you can manually edit a configurationfile downloaded from diagnostics and replacing your method of choice there to "ac-bnfa" and reboot.